On Fri, Apr 04, 2025 at 01:04:10PM +0200, Simon Josefsson wrote: > Ian Jackson <ijack...@chiark.greenend.org.uk> writes: > > > REJECTED ALTERNATIVE - ADDING THE KEY TO THE DD KEYRING > > > > One approach that would let tag2upload function correctly, would be > > adding the tag2upload service key to debian-keyring.gpg, as if it were > > a human uploading DD. > > How about adding the tag2upload keys to a NEW keyring instead? > > https://salsa.debian.org/debian-keyring/keyring/ > > I think tag2upload is a different enough mechanism that it could warrant > an entire new class of keyring. By including it in the official debian > keyring package, we get some historic accountability of which keys were > used. You also get a way to phase in new keys and phase out old keys. > > I suggest not putting it in the "debian-role-keys" but instead a new > "debian-tag2upload-keys" keyring. It seems like a sensible > implementation approach to accept any key in that keyring as being a > "tag2upload" key, rather than hard-coding particular key fingerprints in > various configuration files or scripts. > > /Simon
I believe that this is the right approach, fwiw. We need to be able to say which keys can upload to the Debian archive, and the debian-keyring is where that knowledge should live. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
